On 19 May 2017, the Cyberspace Administration of China (the CAC) released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures (the Second Draft Export Review Measures).
The draft emerged just over a week after public comments closed on the first draft of the measures, which we discussed in our earlier briefing here (the First Draft Export Review Measures). There was a significant volume of industry commentary, and the Second Draft Export Review Measures do, to some extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national corporations operating in China (MNCs). In addition, the test for when a data localization requirement will kick in has not really changed under the Second Draft Export Review Measures — the fundamental position remains that without security review approval and clearance data cannot be exported and must be (logically) stored in China.
Exactly one year before the EU General Data Protection Regulation (GDPR) becomes applicable, global law firm Hogan Lovells has launched GDPRnow, a mobile application that provides companies with assistance to identify practical steps to comply with the new framework.
Conceived entirely in-house by the firm’s Privacy and Cybersecurity team, GDPRnow is the first app ever aimed at generating a GDPR compliance action plan specific to an individual business’s activities. Continue Reading
On June 7, 2017, join us for a discussion of hot topics in Federal Trade Commission (FTC) and state consumer protection enforcement. Partners Bret Cohen, Meghan Rissmiller, and Steven Steinborn will cover recent developments and enforcement trends in data privacy and security, advertising, endorsements, and claim substantiation in practice before the FTC and state authorities.
The Hong Kong Securities and Futures Commission (“SFC”) has issued a paper containing proposals to introduce cyber security guidelines under the Securities and Futures Ordinance (the “SFO”) applicable to internet brokers (the “Cyber Security Consultation Paper”). Comments are open through 7 July 2017. Continue Reading
Major companies, health care organizations and government agencies are facing a wave of cyberattacks involving ransomware that takes control of computers and denies access until a ransom is paid. These attacks are occurring on a global scale and in some cases are having a significant impact on business and healthcare operations. The cyberattack has disrupted targets throughout the world from Britain’s National Health Service to US Fortune 500 companies, the Russian Foreign Ministry, and universities in China.
“Connected” products—not just traditional IT products—are increasingly subject to cyber attacks globally. The question companies are (and should be) asking is no longer whether there will be an attack involving Internet of Things (IoT) devices and infrastructure, but when. Join us on May 24 for the third installment of our 2017 IoT webinar series and get practical guidance from our international team of cybersecurity lawyers, who will present key elements of Hogan Lovells’ well-received client workshop on this rapidly evolving topic. Continue Reading
The Digital Economy Bill passed into UK law last Thursday 27 April 2017 amidst the flurry of activity known as the “wash up” period before the dissolution of Parliament and ahead of the early general election in the UK to be held on 8 June. The Digital Economy Act introduces measures to “modernise the UK for enterprise,” and includes plans for public sector data sharing, direct marketing and age verification for online pornography, amongst other measures. An overview of these measures is set forth in this post. Continue Reading
On 27 April 2017 the German Parliament passed an entirely new Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The new BDSG replaces the old BDSG, which has been in force for the last 40 years. The new BDSG shall adapt the German law to the provisions of the EU General Data Protection Regulation (GDPR). The new BDSG will now form the basis for the adaption of German acts to the GDPR. Further acts concerning special processing situations like social security data protection are likely to follow. Continue Reading
New York AG Settles Data Protection Enforcement Against Mobile Health Apps
After a year-long investigation into mobile health apps claiming to be able to measure vital signs or health indicators through smartphone sensors, the New York Attorney General (NY AG) settled claims against three developers alleged to have engaged in “misleading” marketing claims and “irresponsible” privacy practices. Mobile health apps Cardiio and Runtastic claimed that their apps effectively and accurately measured heart rate after vigorous exercise using only a smartphone camera and sensors. The third, Matis, claimed that its app transformed a smartphone into a fetal heart monitor.
Concerned that unregulated apps claiming to measure key vital signs and other health indicators may harm consumers if the apps provide inaccurate or misleading results, NY AG Eric Schneiderman brought enforcement actions against the trio of developers.
The steady trickle of GDPR guidance from the Article 29 Working Party continues. Fresh from finalising its guidance on data portability, lead supervisory authorities and data protection officers, the Working Party has published draft guidance on data protection impact assessments (DPIA), the full text of which is available on the Working Party website. Comments can be submitted to the Working Party by 23 May 2017, after which the guidance will be finalised. Continue Reading